W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2012

RE: Security issue in XML Encryption 1.1, Bleichenbacher revisited.

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Tue, 24 Jul 2012 00:31:34 +0000
To: "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <D744D68428430B4F9C81DE8A4D5950681590DAC7@TK5EX14MBXW604.wingroup.windeploy.ntdev.microsoft.com>
Personally, I do not find that necessary, Frederick. Firstly, PKCS #1 v1.5 is only required for transport of 3-DES keys. For AES keys, OAEP is already recommended. Secondly, I think our Security Considerations note properly captures the considerations that should be taken into account when using PKCS #1 v1.5. Thirdly (and given the previous two points), I think we need to stop making minor updates and conclude ... :)

And ultimately, I'd like to move towards KEM due to its better security properties (than both OAEP and PKCS #1 v1.5), but I guess that's for later.

-- Magnus

> -----Original Message-----
> From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
> Sent: Monday, July 23, 2012 2:11 PM
> To: public-xmlsec@w3.org
> Cc: Frederick.Hirsch@nokia.com
> Subject: Security issue in XML Encryption 1.1, Bleichenbacher revisited.
> 
> >From the recently published paper, "Bleichenbacher's Attack Strikes Again:
> Breaking PKCS#1 v1.5 in XML Encryption"
> 
> http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/07/11/XMLe
> ncBleichenbacher.pdf
> 
> [[
> Recently the XML Encryption standard was updated, in response to an attack
> presented at CCS 2011. The attacks described in this paper work even against
> the updated version of XML Encryption. Our work shows once more that
> legacy cryptosystems have to be used with extreme care, and should be
> avoided wherever possible, since they may lead to practical attacks.
> 
> ...
> 
> 
> XML Encryption allows the usage of block ciphers in the cipher-block chaining
> (CBC) mode-of-operation. CBC exhibits a weakness [29] that allows an
> adversary to make modifications to the encrypted plaintext, by XORing
> arbitrary bit strings to the plaintext. We show that it is possible to use this
> weakness as an alternative way to determine whether a PKCS#1 v1.5
> ciphertext is "valid" or not.
> 
> Besides CBC mode, the updated version of the XML Encryption specification
> allows to use the GCM mode of operation. This mode was introduced to
> prevent the attacks from [10]. Interestingly, the CBC- attack we describe in
> this paper allows to decrypt GCM ciphertexts, too - if the receiving Web
> Service is able to decrypt CBC ciphertexts, which is mandatory for any
> standard-compliant implementation. This is due to the fact that we use the
> PKCS#1 v1.5 weakness in combination with the CBC weakness only to
> decrypt the session key. After we have obtained this session key, we can
> decrypt an arbitrary ciphertext, regardless of whether it is encrypted using
> CBC, GCM, or any other mode-of-operation.
> 
> ...
> 
> The W3C XML Encryption working group added a remark to the updated
> standard [5, Section 6.1.2] which addresses our attack and recommends to
> use PKCS#1 v2.1 (aka. RSA-OAEP) instead. However, PKCS#1 v1.5 is still
> contained in the standard, and mandatory for any standard-compliant
> implementation.
> ]]
> 
> All:
> 
> What would be the implication of disallowing RSA-1.5 for key transport in
> XML Encryption 1.1, thus encouraging a shift to RSA-OAEP?
> 
> Couldn't legacy implementations continue to be compliant with XML
> Encryption 1.0 with this update to XML Encryption 1.1?
> 
> regards, Frederick
> 
> Frederick Hirsch, Nokia
> Chair XML Security WG
> 
> 
> 
> 
Received on Tuesday, 24 July 2012 00:32:08 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 24 July 2012 00:32:09 GMT